Hello community, here is the log from the commit of package webyast-base-ws for openSUSE:Factory checked in at Fri Jan 14 11:56:05 CET 2011. -------- New Changes file: --- /dev/null 2010-08-26 16:28:41.000000000 +0200 +++ /mounts/work_src_done/STABLE/webyast-base-ws/webyast-base-ws.changes 2011-01-06 14:29:03.000000000 +0100 @@ -0,0 +1,589 @@ +------------------------------------------------------------------- +Thu Jan 6 13:14:29 UTC 2011 - lslezak@suse.cz + +- fixed patching passenger_root in nginx.conf file +- symlink additional nginx files (instead of hard copying) +- 0.2.10 + +------------------------------------------------------------------- +Mon Dec 27 10:57:28 UTC 2010 - lslezak@suse.cz + +- temporarily disabled YastServiceTest - it gets stuck in + FACTORY/i586 build (workaround for bnc#661473) +- 0.2.9 + +------------------------------------------------------------------- +Wed Dec 22 12:06:26 UTC 2010 - lslezak@suse.cz + +- use rubygem-ruby-dbus instead of ruby-dbus in FACTORY/11.4 +- 0.2.8 + +------------------------------------------------------------------- +Wed Dec 22 10:22:48 UTC 2010 - lslezak@suse.cz + +- added webyast-base-ws-rpmlintrc with disabled Dbus and PolicyKit + checks (so it builds in FACTORY/11.4) +- 0.2.7 + +------------------------------------------------------------------- +Wed Dec 15 13:48:20 UTC 2010 - schubi@novell.com + +- switching to nginx + http://lists.opensuse.org/yast-devel/2010-12/msg00000.html +- 0.2.6 + +------------------------------------------------------------------- +Wed Sep 15 16:13:01 UTC 2010 - schubi@novell.com + +- restart service correctly if the package has been renamed (bnc#637779) +- 0.2.5 + +------------------------------------------------------------------- +Tue Sep 14 10:49:15 UTC 2010 - jreidinger@novell.com + +- VUL0: fix regex in permission service (bnc#616267) +- 0.2.4 + +------------------------------------------------------------------- +Tue Sep 7 14:45:46 CEST 2010 - mvidner@suse.cz + +- reload D-Bus config explicitly (bnc#635826). +- BuildRequire the more recent rubygem variants of polkit and rpam (bnc#636781) +- 0.2.3 + +------------------------------------------------------------------- +Fri Aug 27 14:45:07 CEST 2010 - mzugec@suse.cz + +- configuration for logrotate (bnc#634404) +- 0.2.2 + +------------------------------------------------------------------- +Wed Aug 25 18:08:09 CEST 2010 - mkudlvasr@suse.cz + +- Added BackgroundManager.process_exists? (for SLMS) + +------------------------------------------------------------------- +Mon Aug 23 12:37:45 UTC 2010 - jreidinger@novell.com + +- add url to spec file (bnc#625537) +- 0.2.1 + +------------------------------------------------------------------- +Thu Jul 29 08:14:08 UTC 2010 - jreidinger@novell.com + +- fix setting permissions to Samba users (bnc#624243) +- 0.2.0 + +------------------------------------------------------------------- +Wed Jul 21 09:53:57 UTC 2010 - jreidinger@novell.com + +- fix path in yastws service +- add ability to tell matching background process +- 0.1.27 + +------------------------------------------------------------------- +Thu Jul 15 14:12:29 UTC 2010 - jreidinger@novell.com + +- reingrate changes from 1.0 maintenance +- enable again rpam as it provide speed up for LDAP and AD +- 0.1.26 + +------------------------------------------------------------------- +Tue Jul 13 11:21:24 UTC 2010 - jreidinger@novell.com + +- reduce dependency ( provide own yast-ui so it need not install + yast2-gtk with all of its dependencies ) +- 0.1.25 + +------------------------------------------------------------------- +Thu Jul 8 14:25:21 UTC 2010 - jreidinger@novell.com + +- fix caching for permissions +- 0.1.24 + +------------------------------------------------------------------- +Thu Jul 8 10:20:22 UTC 2010 - jreidinger@novell.com + +- add test with real activeResource +- remove obsolete roles configuration +- 0.1.23 + +------------------------------------------------------------------- +Wed Jun 30 15:06:57 CEST 2010 - jreidinger@novell.com + +- simplify permissions module +- switched Resource to BaseModel (maintenance, better to_json performance) +- fixed setting a custom bug reporting URL(bnc#596558) +- changed the format of JSON output to be parsable by ActiveResource +- test for failure of generating the session secret (bnc#614037) +- rename session_key to key as it is key from rails-2_3 +- improve logging of unknown exception and properly report it to frontend +- move other testsuite requires to shared helper +- enabled deploying for other users than yastws (mvidner) + +------------------------------------------------------------------- +Mon May 31 11:59:22 CEST 2010 - schubi@suse.de + +- enabled translation, with rubygem-http_accept_language + +------------------------------------------------------------------- +Fri May 28 13:55:47 UTC 2010 - jreidinger@novell.com + +- removed obsolete tests +- properly pack DBus error as backend exception +- BackendException is abstract exception (bnc#601941) +- add granting method to permission model +- filter nonsuse permission only if no filter is passed +- grantwebyastrights is not a config file +- add service for granting and revoking permissions + +------------------------------------------------------------------- +Fri May 7 11:02:07 UTC 2010 - jreidinger@novell.com + +- user is logged in for 2 hours (instead 1 day) (bnc#583237) +- 0.1.22 + +------------------------------------------------------------------- +Tue May 4 14:26:35 CEST 2010 - mvidner@suse.cz + +- Run a separate session bus for build-time tests (broken in 0.1.19) +- 0.1.21 + +------------------------------------------------------------------- +Tue May 4 08:42:00 CEST 2010 - mvidner@suse.cz + +- Added CollectionResourceTests, companion to PluginBasicTests + (bnc#600097) +- 0.1.20 + +------------------------------------------------------------------- +Mon May 3 12:50:32 UTC 2010 - kkaempf@novell.com + +- Report missing permission as 403:Forbidden (bnc#598794) +- 0.1.19 + +------------------------------------------------------------------- +Fri Apr 30 12:52:05 UTC 2010 - jreidinger@novell.com + +- unify *.spec files (bnc#560061) +- 0.1.18 + +------------------------------------------------------------------- +Wed Apr 28 10:31:30 UTC 2010 - jreidinger@novell.com + +- remove from configuration rails.inc which is removed and cleanup + lighttpd configuration (bnc#600389) +- 0.1.17 + +------------------------------------------------------------------- +Tue Apr 27 11:41:42 UTC 2010 - jreidinger@novell.com + +- fix routing issue in resource controller (bnc#600060) +- 0.1.16 + +------------------------------------------------------------------- +Tue Apr 27 07:55:20 UTC 2010 - jreidinger@novell.com + +- permission check accept also symbol +- 0.1.15 + +------------------------------------------------------------------- +Mon Apr 26 13:43:44 UTC 2010 - schubi@novell.com + +- removed not needed cleanurl-v5.lua + +------------------------------------------------------------------- +Fri Apr 23 13:09:55 UTC 2010 - jreidinger@novell.com + ++++ 392 more lines (skipped) ++++ between /dev/null ++++ and /mounts/work_src_done/STABLE/webyast-base-ws/webyast-base-ws.changes calling whatdependson for head-i586 New: ---- grantwebyastrights nginx.conf org.opensuse.yast.permissions.policy webyast webyast-base-ws.changes webyast-base-ws-rpmlintrc webyast-base-ws.spec webyast.permissions.conf webyastPermissionsService.rb webyast.permissions.service.service webyast-ws.lr.conf www.tar.bz2 yast_user_roles yastws ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ webyast-base-ws.spec ++++++ # # spec file for package webyast-base-ws # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: webyast-base-ws Provides: yast2-webservice = %{version} Obsoletes: yast2-webservice < %{version} %if 0%{?suse_version} == 0 || %suse_version > 1110 # 11.2 or newer %if 0%{?suse_version} > 1120 # since 11.3, they are in a separate subpackage Requires: sysvinit-tools %else # Require startproc respecting -p, bnc#559534#c44 Requires: sysvinit > 2.86-215.2 %endif Requires: yast2-core >= 2.18.10 %else # 11.1 or SLES11 Requires: yast2-core >= 2.17.30.1 Requires: sysvinit > 2.86-195.3.1 %endif Requires: nginx-passenger Requires: ruby-fcgi, sqlite, syslog-ng %if 0%{?suse_version} == 0 || %suse_version <= 1130 Requires: ruby-dbus %else Requires: rubygem-ruby-dbus %endif Requires: rubygem-webyast-rake-tasks, rubygem-http_accept_language Requires: yast2-dbus-server # 634404 Recommends: logrotate PreReq: PolicyKit, PackageKit, rubygem-rake, rubygem-sqlite3 PreReq: rubygem-rails-2_3 >= 2.3.4 PreReq: rubygem-rpam, rubygem-polkit, rubygem-gettext_rails PreReq: yast2-runlevel License: LGPLv2.1 Group: Productivity/Networking/Web/Utilities Url: http://en.opensuse.org/Portal:WebYaST AutoReqProv: on Version: 0.2.10 Release: 1 Summary: WebYaST - base components for rest service Source: www.tar.bz2 Source1: webyastPermissionsService.rb Source2: webyast.permissions.conf Source3: webyast.permissions.service.service Source4: org.opensuse.yast.permissions.policy Source5: grantwebyastrights Source6: yast_user_roles Source9: yastws Source10: webyast Source11: webyast-ws.lr.conf Source12: nginx.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config ruby rubygem-mocha # if we run the tests during build, we need most of Requires here too, # except for deployment specific stuff BuildRequires: rubygem-restility rubygem-webyast-rake-tasks BuildRequires: dbus-1 sqlite yast2-core yast2-dbus-server %if 0%{?suse_version} == 0 || %suse_version <= 1130 BuildRequires: ruby-dbus %else BuildRequires: rubygem-ruby-dbus %endif BuildRequires: PackageKit PolicyKit rubygem-sqlite3 BuildRequires: rubygem-rails-2_3 >= 2.3.4 BuildRequires: rubygem-polkit rubygem-rpam # the testsuite is run during build BuildRequires: rubygem-mocha rubygem-test-unit BuildRequires: nginx-passenger # This is for Hudson (build service) to setup the build env correctly %if 0 BuildRequires: rubygem-test-unit BuildRequires: rubygem-rcov >= 0.9.3.2 %endif # we do not necessarily need any UI in case of WebYaST Provides: yast2_ui Provides: yast2_ui_pkg # rpmlint warns about file duplicates, this should take care but # doesn't build (?!) #%if 0%{?suse_version} > 1020 #BuildRequires: fdupes #%endif BuildArch: noarch %package testsuite License: LGPLv2.1 Group: Productivity/Networking/Web/Utilities Requires: webyast-base-ws = %{version} Summary: Testsuite for webyast-base-ws package # %define pkg_home /var/lib/%{webyast_ws_user} # %description WebYaST - Core components for REST based interface to system manipulation. Authors: -------- Duncan Mac-Vicar Prett <dmacvicar@suse.de> Klaus Kaempf <kkaempf@suse.de> Bjoern Geuken <bgeuken@suse.de> Stefan Schubert <schubi@suse.de> %description testsuite Testsuite for core WebYaST webservice package. %prep %setup -q -n www %build %check # run the testsuite RAILS_ENV=test rake db:migrate RAILS_ENV=test $RPM_BUILD_ROOT%{webyast_ws_dir}/test/dbus-launch-simple rake test #--------------------------------------------------------------- %install # # Install all web and frontend parts. # mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/log/ cp -a * $RPM_BUILD_ROOT%{webyast_ws_dir}/ rm -f $RPM_BUILD_ROOT%{webyast_ws_dir}/log/* rm -f $RPM_BUILD_ROOT%{webyast_ws_dir}/COPYING touch $RPM_BUILD_ROOT%{webyast_ws_dir}/db/schema.rb %{__install} -d -m 0755 \ %{buildroot}%{pkg_home}/sockets/ \ %{buildroot}%{pkg_home}/cache/ \ %{buildroot}%{_sbindir} \ %{buildroot}%{_var}/log/%{webyast_ws_user} # # init script # %{__install} -D -m 0755 %SOURCE9 \ %{buildroot}%{_sysconfdir}/init.d/%{webyast_ws_service} %{__ln_s} -f %{_sysconfdir}/init.d/%{webyast_ws_service} %{buildroot}%{_sbindir}/rc%{webyast_ws_service} # # configure nginx web service mkdir -p $RPM_BUILD_ROOT/etc/yastws/ install -m 0644 %SOURCE12 $RPM_BUILD_ROOT/etc/yastws/ # create symlinks to nginx config files ln -s /etc/nginx/fastcgi.conf $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/fastcgi_params $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/koi-utf $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/koi-win $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/mime.types $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/scgi_params $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/uwsgi_params $RPM_BUILD_ROOT/etc/yastws ln -s /etc/nginx/win-utf $RPM_BUILD_ROOT/etc/yastws # Policies mkdir -p $RPM_BUILD_ROOT/usr/share/PolicyKit/policy install -m 0644 %SOURCE4 $RPM_BUILD_ROOT/usr/share/PolicyKit/policy/ install -m 0644 %SOURCE6 $RPM_BUILD_ROOT/etc/ install -m 0555 %SOURCE5 $RPM_BUILD_ROOT/usr/sbin/ # firewall service definition, bnc#545627 mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services install -m 0644 %SOURCE10 $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services # logrotate configuration bnc#634404 mkdir $RPM_BUILD_ROOT/etc/logrotate.d install -m 0644 %SOURCE11 $RPM_BUILD_ROOT/etc/logrotate.d # create yastwsdirs (config, var and data) mkdir -p $RPM_BUILD_ROOT/etc/webyast mkdir -p $RPM_BUILD_ROOT/var/lib/yastws mkdir -p $RPM_BUILD_ROOT/usr/share/yastws # create empty tmp directory mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/cache mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/pids mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/sessions mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/sockets # install permissions service mkdir -p $RPM_BUILD_ROOT/usr/sbin/ install -m 0500 %SOURCE1 $RPM_BUILD_ROOT/usr/sbin/ mkdir -p $RPM_BUILD_ROOT/etc/dbus-1/system.d/ install -m 0644 %SOURCE2 $RPM_BUILD_ROOT/etc/dbus-1/system.d/ mkdir -p $RPM_BUILD_ROOT/usr/share/dbus-1/system-services/ install -m 0444 %SOURCE3 $RPM_BUILD_ROOT/usr/share/dbus-1/system-services/ #create dummy update-script mkdir -p %buildroot/var/adm/update-scripts touch %buildroot/var/adm/update-scripts/%name-%version-%release-1 #--------------------------------------------------------------- %clean rm -rf $RPM_BUILD_ROOT #--------------------------------------------------------------- %pre # # e.g. adding user # /usr/sbin/groupadd -r %{webyast_ws_user} &>/dev/null ||: /usr/sbin/useradd -g %{webyast_ws_user} -s /bin/false -r -c "User for YaST-Webservice" -d %{pkg_home} %{webyast_ws_user} &>/dev/null ||: # services will not be restarted correctly if # the package name will changed while the update # So the service will be restarted by an update-script # which will be called AFTER the installation if /bin/rpm -q yast2-webservice > /dev/null ; then echo "renaming yast2-webservice to webyast-base-ws" if /sbin/yast runlevel summary service=yastws 2>&1|grep " 3 "|grep yastws >/dev/null ; then echo "yastws is inserted into the runlevel" echo "#!/bin/sh" > %name-%version-%release-1 echo "/sbin/yast runlevel add service=yastws" >> %name-%version-%release-1 echo "/usr/sbin/rcyastws restart" >> %name-%version-%release-1 else if /usr/sbin/rcyastws status > /dev/null ; then echo "yastws is running" echo "#!/bin/sh" > %name-%version-%release-1 echo "/usr/sbin/rcyastws restart" >> %name-%version-%release-1 fi fi if [ -f %name-%version-%release-1 ] ; then install -D -m 755 %name-%version-%release-1 /var/adm/update-scripts rm %name-%version-%release-1 echo "Please check the service runlevels and restart WebYaST service with \"rcyastws restart\" if the update has not been called with zypper,yast or packagekit" fi fi exit 0 #--------------------------------------------------------------- %post %fillup_and_insserv %{webyast_ws_service} # #granting permissions for yastws # if [ `/usr/bin/polkit-auth --user %{webyast_ws_user} | grep -c "org.freedesktop.packagekit.system-update"` -eq 0 ]; then # FIXME: remove ||: (don't hide errors), has to be correctly implemented for package update... /usr/bin/polkit-auth --user %{webyast_ws_user} --grant org.freedesktop.packagekit.system-update > /dev/null ||: fi if [ `/usr/bin/polkit-auth --user %{webyast_ws_user} | grep -c "org.freedesktop.policykit.read"` -eq 0 ]; then # FIXME: remove ||: (don't hide errors), has to be correctly implemented for package update... /usr/bin/polkit-auth --user %{webyast_ws_user} --grant org.freedesktop.policykit.read > /dev/null ||: fi if [ `/usr/bin/polkit-auth --user %{webyast_ws_user} | grep -c "org.opensuse.yast.module-manager.import"` -eq 0 ]; then # FIXME: remove ||: (don't hide errors), has to be correctly implemented for package update... /usr/bin/polkit-auth --user %{webyast_ws_user} --grant org.opensuse.yast.module-manager.import > /dev/null ||: fi # # granting all permissions for root # /usr/sbin/grantwebyastrights --user root --action grant > /dev/null ||: # # create database # cd %{webyast_ws_dir} #migrate database RAILS_ENV=production rake db:migrate chown -R %{webyast_ws_user}: db chown -R %{webyast_ws_user}: log echo "Database is ready" # # patching nginx configuration # if [ -d /usr/lib64 ]; then sed -i "s/passenger_root \/usr\/lib/passenger_root \/usr\/lib64/" /etc/yastws/nginx.conf fi # # try-reload D-Bus config (bnc#635826) # dbus-send --print-reply --system --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null ||: #--------------------------------------------------------------- %preun %stop_on_removal %{webyast_ws_service} #--------------------------------------------------------------- %postun %restart_on_update %{webyast_ws_service} %{insserv_cleanup} #--------------------------------------------------------------- # restart yastws on nginx update (bnc#559534) %triggerin -- nginx %restart_on_update %{webyast_ws_service} #--------------------------------------------------------------- %files %defattr(-,root,root) #this /etc/yastws is for ligght conf for yastws %dir /etc/yastws %dir %{webyast_ws_dir} %dir %{_datadir}/PolicyKit %dir %{_datadir}/PolicyKit/policy %attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{pkg_home} %attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{pkg_home}/sockets %attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{pkg_home}/cache %attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{_var}/log/%{webyast_ws_user} #logrotate configuration file %config(noreplace) /etc/logrotate.d/webyast-ws.lr.conf #this /etc/webyast is for webyast configuration files %dir /etc/webyast/ %dir %{_datadir}/yastws %dir %attr(-,%{webyast_ws_user},root) /var/lib/yastws %dir %{webyast_ws_dir}/db %{webyast_ws_dir}/app %{webyast_ws_dir}/db/migrate %ghost %{webyast_ws_dir}/db/schema.rb %{webyast_ws_dir}/doc %{webyast_ws_dir}/lib %{webyast_ws_dir}/public %{webyast_ws_dir}/Rakefile %{webyast_ws_dir}/script %dir %{webyast_ws_dir}/config %{webyast_ws_dir}/config/boot.rb %{webyast_ws_dir}/config/database.yml %{webyast_ws_dir}/config/environments %{webyast_ws_dir}/config/initializers %{webyast_ws_dir}/config/routes.rb #also users can run granting script, as permissions is handled by policyKit right for granting permissions %attr(555,root,root) /usr/sbin/grantwebyastrights %attr(755,root,root) %{webyast_ws_dir}/start.sh %attr(500,root,root) /usr/sbin/webyastPermissionsService.rb %attr(444,root,root) /usr/share/dbus-1/system-services/webyast.permissions.service.service %attr(644,root,root) %config /etc/dbus-1/system.d/webyast.permissions.conf %doc %{webyast_ws_dir}/README %attr(-,%{webyast_ws_user},%{webyast_ws_user}) %{webyast_ws_dir}/log %attr(-,%{webyast_ws_user},%{webyast_ws_user}) %{webyast_ws_dir}/tmp #nginx stuff %config(noreplace) /etc/yastws/nginx.conf %config /etc/yastws/fastcgi.conf %config /etc/yastws/fastcgi_params %config /etc/yastws/koi-utf %config /etc/yastws/koi-win %config /etc/yastws/mime.types %config /etc/yastws/scgi_params %config /etc/yastws/uwsgi_params %config /etc/yastws/win-utf %config /etc/sysconfig/SuSEfirewall2.d/services/webyast %config /usr/share/PolicyKit/policy/org.opensuse.yast.permissions.policy %config %{webyast_ws_dir}/config/environment.rb %config(noreplace) /etc/yast_user_roles %config %{_sysconfdir}/init.d/%{webyast_ws_service} %{_sbindir}/rc%{webyast_ws_service} %doc COPYING %ghost %attr(755,root,root) /var/adm/update-scripts/%name-%version-%release-1 %files testsuite %defattr(-,root,root) %{webyast_ws_dir}/test #--------------------------------------------------------------- %changelog ++++++ grantwebyastrights ++++++ #!/usr/bin/ruby # #-- # Webyast Webservice framework # # Copyright (C) 2009, 2010 Novell, Inc. # This library is free software; you can redistribute it and/or modify # it only under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. # # This library is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA #++ # # grantwebyastrights # # show, grant and revoke policies for YaST webservice # # run: grantwebyastrights # # FIXME grant really All rights to run webyast, (so also packagekit rights, hal rights for system plugin etc) # require 'fileutils' require 'getoptlong' $debug = 0 def usage why STDERR.puts why STDERR.puts "" STDERR.puts "Usage: grantwebyastrights --user <user> --action (show|grant|revoke)" STDERR.puts "NOTE: This program should be run by user root" STDERR.puts "" STDERR.puts "This call grant/revoke ALL permissions for the YaST Webservice." STDERR.puts "In order to grant/revoke single rights use:" STDERR.puts "polkit-auth --user <user> (--grant|-revoke) <policyname>" STDERR.puts "" STDERR.puts "In order to show all possible permissions use:" STDERR.puts "polkit-action" exit 1 end options = GetoptLong.new( [ "--user", GetoptLong::REQUIRED_ARGUMENT ], [ "--action", GetoptLong::REQUIRED_ARGUMENT ] ) user = nil action = nil begin options.each do |opt, arg| case opt when "--user": user = arg when "--action": action = arg when "--debug": $debug += 1 end end rescue GetoptLong::InvalidOption => o usage "Invalid option #{o}" end $debug = nil if $debug == 0 usage "excessive arguments" unless ARGV.empty? usage "user parameter missing" unless user usage "action parameter (show|grant|revoke) missing" unless action SuseString = "org.opensuse.yast" def webyast_perm?(perm) return (perm.include? SuseString) && (not perm.include? ".scr") end def granted_perms(user) perms = `polkit-auth --user '#{user}' --explicit` #do NOT raise if an error happens here cause while the package installation this call returns always an error # raise "polkit-auth failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero? perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } return perms end def webyast_perms perms = `polkit-action` raise "polkit-action failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero? perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } return perms end begin case action when "grant" then granted = granted_perms user non_granted = webyast_perms.reject{ |perm| granted.include? perm } non_granted.each do |policy| STDOUT.puts "granting: #{policy}" out = `polkit-auth --user '#{user}' --grant '#{policy}'` #do NOT raise if an error happens here cause while the package installation this call can return an error for already existing #permissions ( It is not possible to check this before) #raise "Granting permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end when "show" STDOUT.puts granted_perms(user).join("\n") when "revoke" granted = granted_perms user granted.each do |policy| STDOUT.puts "revoking: #{policy}" out = `polkit-auth --user '#{user}' --revoke '#{policy}'` raise "Revoking permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end end rescue Exception => e STDERR.puts e.message Process.exit! 1 end ++++++ nginx.conf ++++++ user yastws yastws; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; pid /var/run/yastws.pid; events { worker_connections 1024; } http { # Note: passenger_root option is automatically updated by # /etc/init.d/yastws script at start up passenger_root /usr/lib64/ruby/gems/1.8/gems/passenger-3.0.1; passenger_ruby /usr/bin/ruby; passenger_pool_idle_time 300; passenger_min_instances 0; passenger_default_user yastws; passenger_user yastws; passenger_max_pool_size 1; passenger_max_instances_per_app 1; passenger_spawn_method conservative; client_body_temp_path /var/lib/nginx/tmp_yastws 1 2; fastcgi_temp_path /var/lib//nginx/fastcgi_yastws 1 2; proxy_temp_path /var/lib//nginx/proxy_yastws 1 2; include mime.types; default_type application/octet-stream; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 4984; server_name localhost; root /srv/www/yastws/public; passenger_enabled on; rails_framework_spawner_idle_time 300; rails_app_spawner_idle_time 300; } } ++++++ webyast ++++++ # SuSEfirewall2 service definition ## Name: WebYaST ## Description: The back end of WebYaST, http://en.opensuse.org/WebYaST # space separated list of allowed TCP ports TCP="4984" ++++++ webyast-base-ws-rpmlintrc ++++++ # ignore security warnings (unauthorized DBus service and it's permissions) for now addFilter("E: suse-dbus-unauthorized-service") addFilter("I: polkit-unauthorized-privilege") ++++++ webyast.permissions.conf ++++++ <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy user="root"> <allow own="webyast.permissions.service" /> <allow send_destination="webyast.permissions.service" /> </policy> <!-- anyone can call service as it is protected by policyKit --> <policy context="default"> <allow send_destination="webyast.permissions.service" /> </policy> </busconfig> ++++++ webyastPermissionsService.rb ++++++ #!/usr/bin/env ruby #-- # Webyast Webservice framework # # Copyright (C) 2009, 2010 Novell, Inc. # This library is free software; you can redistribute it and/or modify # it only under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. # # This library is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA #++ require 'rubygems' require 'dbus' require 'etc' require 'polkit' # Choose the bus (could also be DBus::session_bus, which is not suitable for a system service) bus = DBus::system_bus # Define the service name service = bus.request_service("webyast.permissions.service") class WebyastPermissionsService < DBus::Object # overriding DBus::Object#dispatch # It is needed because dispatch sent just parameters and without sender it is # imposible to check permissions of sender. So to avoid it add as last # parameter sender id. def dispatch(msg) msg.params << msg.sender super(msg) end def log(msg) f = File.new("/srv/www/yastws/log/permission_service.log","a",0600) f.write(msg+"\n") f.close end # Create an interface. dbus_interface "webyast.permissions.Interface" do dbus_method :grant, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute("grant", permissions, user,sender) log "Grant permissions #{permissions.inspect} for user #{user} with result #{result.inspect}" [result] end dbus_method :revoke, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute("revoke", permissions, user,sender) log "Revoke permissions #{permissions.inspect} for user #{user} with result #{result.inspect}" [result] end end USER_REGEX=/\A[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/ USER_WITH_DOMAIN_REGEX=/\A[a-zA-Z0-9][a-zA-Z0-9\-.]*\\[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/ def execute (command, permissions, user, sender) #TODO polkit check, user escaping, perm whitespacing return ["NOPERM"] unless check_polkit sender return ["USER_INVALID"] if invalid_user_name? user result = [] permissions.each do |p| #whitespace check for valid permission string to avoid attack if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << `polkit-auth --user '#{user}' --#{command} '#{p}' 2>&1` else result << "perm #{p} is INVALID" end end return result end PERMISSION="org.opensuse.yast.permissions.write" def check_polkit(sender) uid = DBus::SystemBus.instance.proxy.GetConnectionUnixUser(sender)[0] user = Etc.getpwuid(uid).name begin return PolKit.polkit_check(PERMISSION, user) == :yes rescue Exception => e return false end end def invalid_user_name? user active_directory_enabled = `/usr/sbin/pam-config -q --winbind 2>/dev/null | wc -w`.to_i > 0 return false if user.match(USER_REGEX) return false if active_directory_enabled && user.match(USER_WITH_DOMAIN_REGEX) return true end end # Set the object path obj = WebyastPermissionsService.new("/webyast/permissions/Interface") # Export it! service.export(obj) # Now listen to incoming requests main = DBus::Main.new main << bus main.run ++++++ webyast.permissions.service.service ++++++ # DBus service activation config [D-BUS Service] Name=webyast.permissions.service Exec=/usr/sbin/webyastPermissionsService.rb User=root ++++++ webyast-ws.lr.conf ++++++ /srv/www/yastws/log/production.log /srv/www/yastws/log/development.log /srv/www/yastws/log/lighttpd.access.log /srv/www/yastws/log/lighttpd.error.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 600 yastws yastws postrotate /etc/init.d/yastws reload endscript } ++++++ yast_user_roles ++++++ # # file : /etc/yast_user_roles # # This file describes roles of a user accounts for the YaST Webservice # "user accounts": System account which is accessable e.g. via PAM. # "roles" : Describes user accounts for which policies have # been generated # # Format: <user> <role 1>,<role 2>,...<role n> #++++++ yastws ++++++ #!/bin/sh # # Copyright (C) 1995--2007 Marcus Rückert, SUSE / Novell Inc. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, # USA. # # /etc/init.d/yastws # and its symbolic link # /(usr/)sbin/rcyastws # # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # # Note: This template uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your # script on this template and ensure that it works on non UL based LSB # compliant Linux distributions, you either have to provide the rc.status # functions from UL or change the script to work without them. # See skeleton.compat for a template that works with other distros as well. # ### BEGIN INIT INFO # Provides: yastws # Required-Start: $syslog $remote_fs # Should-Start: $time ypbind sendmail yastwc # Required-Stop: $syslog $remote_fs # Should-Stop: $time ypbind sendmail yastwc # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: yastws # Description: Start yastws ### END INIT INFO # # Any extensions to the keywords given above should be preceeded by # X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. # # Notes on Required-Start/Should-Start: # * There are two different issues that are solved by Required-Start # and Should-Start # (a) Hard dependencies: This is used by the runlevel editor to determine # which services absolutely need to be started to make the start of # this service make sense. Example: nfsserver should have # Required-Start: $portmap # Also, required services are started before the dependent ones. # The runlevel editor will warn about such missing hard dependencies # and suggest enabling. During system startup, you may expect an error, # if the dependency is not fulfilled. # (b) Specifying the init script ordering, not real (hard) dependencies. # This is needed by insserv to determine which service should be # started first (and at a later stage what services can be started # in parallel). The tag Should-Start: is used for this. # It tells, that if a service is available, it should be started # before. If not, never mind. # * When specifying hard dependencies or ordering requirements, you can # use names of services (contents of their Provides: section) # or pseudo names starting with a $. The following ones are available # according to LSB (1.1): # $local_fs all local file systems are mounted # (most services should need this!) # $remote_fs all remote file systems are mounted # (note that /usr may be remote, so # many services should Require this!) # $syslog system logging facility up # $network low level networking (eth card, ...) # $named hostname resolution available # $netdaemons all network daemons are running # The $netdaemons pseudo service has been removed in LSB 1.2. # For now, we still offer it for backward compatibility. # These are new (LSB 1.2): # $time the system time has been set correctly # $portmap SunRPC portmapping service available # UnitedLinux extensions: # $ALL indicates that a script should be inserted # at the end # * The services specified in the stop tags # (Required-Stop/Should-Stop) # specify which services need to be still running when this service # is shut down. Often the entries there are just copies or a subset # from the respective start tag. # * Should-Start/Stop are now part of LSB as of 2.0, # formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. # insserv does support both variants. # * X-UnitedLinux-Default-Enabled: yes/no is used at installation time # (%fillup_and_insserv macro in %post of many RPMs) to specify whether # a startup script should default to be enabled after installation. # It's not used by insserv. # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix. # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance NGINX_BIN=/usr/sbin/nginx test -x $NGINX_BIN || { echo "$NGINX_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of needed config file and read it NGINX_CONFIG=/etc/yastws/nginx.conf test -r $NGINX_CONFIG || { echo "$NGINX_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } PID_FILE=/var/run/yastws.pid # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. case "$1" in start) echo -n "Starting yastws " #generate deployment specific secret key (bnc#591345) SECRET=`cd /srv/www/yastws/ && rake -s secret` if [ -z $SECRET ]; then echo -n "Can generate secret for session. Run 'cd /srv/www/yastws/ && rake -s secret' for details." rc_failed rc_status -v rc_exit fi sed -i 's/9d11bfc98abcf9799082d9c34ec94dc1cc926f0f1bf4bea8c440b497d96b14c1f712c8784d0303ee7dd69e382c3e5e4d38d4c56d1b619eae7acaa6516cd733b1/'"$SECRET"/ /srv/www/yastws/config/environment.rb # patch passenger config root if the current config is different (after updating passenger or on a different arch than the default) grep -q "^[ \\t]*passenger_root[ \\t][ \\t]*`passenger-config --root`;" $NGINX_CONFIG || sed -i.bak "s#^\\([ \\t]*\\)passenger_root[ \\t].*\$#\\1passenger_root `passenger-config --root`;#" $NGINX_CONFIG ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. /sbin/startproc -p $PID_FILE $NGINX_BIN -c $NGINX_CONFIG # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down yastws " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. /sbin/killproc -TERM -p $PID_FILE $NGINX_BIN # Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart the service if it ## is running. echo -n "Reload service yastws " ## if it supports it: /sbin/killproc -p $PID_FILE -HUP $NGINX_BIN rc_status -v ## Otherwise: #$0 try-restart #rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!) # If it supports signaling: echo -n "Reload service yastws " /sbin/killproc -HUP -p $PID_FILE $NGINX_BIN #touch /var/run/yastws.pid rc_status -v ## Otherwise if it does not support reload: #rc_failed 3 #rc_status -v ;; status) echo -n "Checking for service yastws " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc -p $PID_FILE $NGINX_BIN # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $NGINX_CONFIG /var/run/yastws.pid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org